Hospitals Are Under ‘Constant Attempts at Attack’ from Hackers, FDA Says
The agency is talking up threats to hospitals and medical devices, but not following up with enforcement.
"Cyber hygiene" is paramount to keeping medical devices in hospitals safe from hackers and malware, Suzanne Schwartz, director of Emergency Preparedness/Operations and Medical Countermeasures for the Center for Devices and Radiological Health, a division of the Food and Drug Administration, told the mHealth Cybersecurity Summit in Washington earlier this week.
Schwartz's speech was the latest in a series of talks emphasizing the FDA's commitment to improving medical device cybersecurity. The issue has been gaining attention recently due to reports that networked medical devices are nearly defenceless against online threats.
"The term 'cyber hygiene' is used by the cybersecurity community to refer to controlling a device's operation in a way that is intended to prevent cybersecurity breaches in the first place," Schwartz explained in an email to Motherboard. "This means safe and proper configuration of available features, the least possible access to functionality and routine cybersecurity servicing."
While it is important to note that the FDA is unaware of any deaths or injuries resulting from a hacked medical device, recent research indicated that medical devices are extremely vulnerable to opportunistic malware. This summer the FDA took the unprecedented step of warning hospitals to stop using a line of drug pumps because of the cybersecurity risk.
The FBI's Cyber Division issued a Private Industry Notification (PIN) to the healthcare industry in 2014, warning that the healthcare sector lags behind better-defended industries such as retail and finance. And a cyber attack on America's second-largest hospital system last year netted the unknown attackers 4.5 million patient records.
Schwartz noted that the FDA's 2013 Safety Communication on Cybersecurity for Medical Devices and Hospital Networks outlined various cyber hygiene practices that are still relevant for facilities today, and its 2014 Final Guidance on Premarket Cybersecurity laid out cyber hygiene best practices for manufacturers.
"It's important for both manufacturers and healthcare delivery organizations to recognize the new reality today—hospitals and healthcare system networks are under constant attempts at attack and intrusion," she added. "Protection of these systems, which contain highly sought after personal health information and personal identifying information, means that medical devices need to be better secured as well."
"Hospitals and healthcare system networks are under constant attempts at attack and intrusion."
Schwartz emphasized that the solution to the "growing cyber threat" hospitals face requires a "whole of community approach," which the FDA aims to foster.
Medical device cybersecurity has suffered from buck-passing and finger pointing in the past. Security researchers have experienced bullying, lawsuits, and even screaming fits when confronting manufacturers with vulnerabilities in their products.
Schwartz made clear that the FDA will not tolerate such tactics, telling manufacturers, "Respond to and address security vulnerabilities that are identified for your marketed devices."
Some security researchers have criticized the FDA for not enforcing stronger cybersecurity regulations for medical devices. But, Schwartz indicated in her talk, hospitals must also play their part by demanding minimum cybersecurity standards from vendors and outsourcers.
"Where feasible," she told hospitals, "include securability for the lifetime of your device in your procurement specs contract language."
The health care system in the US relies heavily on networked medical devices. Every year there are 35 million hospital discharges every year, plus 100 million hospital outpatient visits, 900 million physician office visits, and a billion prescriptions issued, and "most of these encounters likely include a networked medical device," Schwartz said, quoting estimates from the Centers for Disease Control and Prevention.
Schwartz also called for medical device manufacturers to implement vulnerability disclosure policies, saying "coordinated disclosure and proactive vulnerability management are critical to improving the security posture of the ecosystem as a whole."
A vulnerability disclosure policy gives researchers a way to alert manufacturers to vulnerabilities, and publicly commits the manufacturer to dealing with, rather than ignoring, security problems.
Currently only two medical device manufacturers have a published vulnerability disclosure policy, Philips and Dräger—and that's "2 more than last year," tweeted medical device security researcher Scott Erven.
"This is a culture shift and it will necessitate change in mindsets and behaviors," Schwartz told the audience. "The FDA...strongly believes the best way to protect patients from cyber threats is to work together to address medical device vulnerabilities using a total product lifecycle approach."